- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there a way to replace indexes specified in pre...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi:
I am looking at having greater control over our indexes. The problem I have, is that there are tons of searches that are already created that reference specific indexes.
Is there anyway to do a at-search time replacement of a search that was entered?
Current setup:
index=firewalls
New setup (What I'd like to do):
index=productionfirewalls
index=nonproductionfirewalls
The reason I'd like to set this up this way, is that I want to be able to specify different time based retention policies based on the environment that the index is for. Say, production data might be x years, and non production might be 1 year of retention.
What I'd like to do is have existing searches that use index=firewalls, automatically replace that part with index=productionfirewalls OR index=nonproductionfirewalls automatically, when a user searches for index=firewalls
Is this possible?
Thanks you for any information you could provide.
-Jeff
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not aware of a way to do what you are describing. Since you've already specified index=x in the first part of your search, there isn't a way to go-back and re-search index=y OR index=z instead of index=x in the second part.
You'll probably want to do a find/replace on savedseaches.conf. The local level one is at:
/opt/splunk/etc/apps/YOURAPP/local/savedsearches.conf
Although, if you are going to touch every search, you might want to create event types first, and then change "index=x" to "eventtype=x" in all of your searches, so that future changes are less invasive. More about event types here: http://www.splunk.com/view/SP-CAAAGYK
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not aware of a way to do what you are describing. Since you've already specified index=x in the first part of your search, there isn't a way to go-back and re-search index=y OR index=z instead of index=x in the second part.
You'll probably want to do a find/replace on savedseaches.conf. The local level one is at:
/opt/splunk/etc/apps/YOURAPP/local/savedsearches.conf
Although, if you are going to touch every search, you might want to create event types first, and then change "index=x" to "eventtype=x" in all of your searches, so that future changes are less invasive. More about event types here: http://www.splunk.com/view/SP-CAAAGYK
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
